An unauthenticated token disclosure in OpenEMR's MedEx callback endpoint leaks API tokens, leading to PHI exfiltration and HIPAA violations.
Description
An unauthenticated token disclosure in OpenEMR's MedEx callback endpoint leaks API tokens, leading to PHI exfiltration and HIPAA violations.
AI Analyst Comment
Remediation
Update the MedEx Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: OpenEMR
PRODUCT: OpenEMR (MedEx Module)
AFFECTED_VERSIONS: Prior to 8.0.0
---END_METADATA---
Description Summary:
An unauthenticated token disclosure in OpenEMR's MedEx callback endpoint leaks API tokens, leading to PHI exfiltration and HIPAA violations.
Executive Summary:
OpenEMR contains a critical vulnerability where an unauthenticated attacker can steal MedEx API tokens, resulting in the exposure of sensitive patient health information.
Vulnerability Details
CVE-ID: CVE-2026-24898
Affected Software: OpenEMR
Affected Versions: Prior to 8.0.0
Vulnerability: The MedEx callback endpoint explicitly bypasses authentication ($ignoreAuth = true). By providing a callback_key via POST, an unauthenticated visitor triggers a login process that returns the full JSON response, including sensitive MedEx API tokens.
Business Impact
This vulnerability carries a CVSS score of 10. The exposure of API tokens allows for complete third-party service compromise, unauthorized actions on the MedEx platform, and the exfiltration of Protected Health Information (PHI). This constitutes a major security failure and a direct violation of HIPAA regulations.
Remediation Plan
Immediate Action: Upgrade OpenEMR to version 8.0.0 immediately. Following the upgrade, revoke and rotate all MedEx API tokens to ensure any previously leaked tokens are invalidated.
Proactive Monitoring: Review access logs for the MedEx callback endpoint for unauthorized POST requests and monitor MedEx platform logs for suspicious activity.
Compensating Controls: Implement IP whitelisting for the MedEx callback endpoint so that only legitimate MedEx servers can communicate with the application.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Mar 3, 2026, there is no public information indicating active exploitation. Given the sensitivity of the data involved, this vulnerability is a prime target for attackers seeking medical records.
Analyst Recommendation
This is a critical security flaw with severe legal and financial implications. We strongly urge immediate patching and token rotation to protect patient data and maintain regulatory compliance.